Embodiments of the present invention relate to authentication, and more particularly relate to techniques for authenticating a user based on personalized (i.e., user-provided) authentication data.
User authentication is the process of verifying the identity of a principal (i.e., a user) for a security-related purpose. Generally speaking, this verification is performed by testing one or more of the following “authentication factors:” (1) something the principal knows (referred to as a Type I authentication factor), (2) something the principal has (referred to as a Type II authentication factor), and (3) something the principal is (referred to as a Type III authentication factor).
In the field of computer security, a significant number of existing authentication systems rely on textual passwords or personal identification numbers (i.e., Type I authentication factors) in order to verify the identities of users. However, authentication based on textual authentication data is well-known to have several weaknesses. For example, relatively secure (i.e., complex) passwords are generally difficult to remember. Conversely, short or easily memorized passwords are relatively insecure and may be attacked through a variety of methods, such as a dictionary attack. In some cases, Type I authentication factors are combined with Type II authentication factors to increase the security of a system. For example, an ATM machine typically requires both a PIN and a physical ATM card to carry out transactions. However, Type II authentication factors may also be compromised, such as through loss or theft.
To address some of the above weaknesses, a growing number of computer-based authentication systems are incorporating authentication via Type III, or biometric, authentication factors. Exemplary biometric characteristics include fingerprints, voice, face geometry, retinal pattern, and the like. Since biometric characteristics are inherent to a particular individual, there is no need to memorize authentication information such as a textual password. In addition, many believe that a biometric characteristic cannot be stolen as easily as a physical (i.e., Type II) authentication device/token. To support these biometric systems, non-textual authentication interfaces have been developed. For example, acoustic-based interfaces have been developed to support authentication via voice recognition. Similarly, image and video-based interfaces have been developed to support authentication via facial recognition, fingerprint recognition, and the like.
Unfortunately, despite their advantages, biometric authentication systems still possess a number of weaknesses. Voice-based authentication, in particular, is problematic for several reasons. First, the enrollment/registration process necessary to register a user's voice into a voice-based authentication system can be both time-consuming and cumbersome. For example, this process typically requires the user to recite several sentences or paragraphs-worth of training data into the system to generate a voice model for the user. In addition, the training data must generally be recited in a quiet environment to capture the user's voice with adequate clarity and precision. As a result, users may be unwilling to spend the time and effort demanded by this process.
Second, authentication based on voice recognition is not particularly reliable. For example, it is possible for an attacker to impersonate the voice of a legitimate user and thus fool the system into providing access. This is known as a “false positive.” It is also possible for a user's voice to change temporarily (e.g., due to a cold or other illness), and thus cause the user to be denied access even though the user is legitimate. This is known as a “false negative.” In either situation, the authentication mechanism fails to operate as intended.
Third, voice recognition is generally a very complex process and may require significant resources to be performed with a reasonable degree of accuracy. For example, a large amount of storage resources may be necessary to store registered training data and voice models, and a large amount of computational resources may be necessary to verify a given voice sample against a registered model. Accordingly, the costs associated with deploying and maintaining a voice-based authentication system can be prohibitively high.
Fourth, since voice characteristics (and other types of biometric characteristics) are inherent to a user, they cannot be reset or reissued if the user's voice is somehow compromised (e.g., through impersonation or a voice recording). This is a significant concern because the legitimate user will have no way to regain secure access to the system. In addition, the legitimate user will no longer be able to user his or her voice as an authentication credential for other voice-based systems.